Unable to access NIFI Rest api of another server in secured mode - ajax

I am trying to access NIFI rest api of another server from my machine using ajax like below,
url:"https://serverip:port/nifi-api/",
{Authorization : 'Bearer ' + 'access token here'}
Getting Response to preflight request doesn't pass access control
check: No 'Access-Control-Allow-Origin' header is present on the
requested resource error.

Apache NiFi's API is designed to be invoked by a variety of clients, but in this case I think you are encountering a security precaution put in place by CORS (Cross-Origin Resource Sharing).
If a piece of code on server A (your non-NiFi machine) makes an AJAX request to a different origin (your NiFi instance), and the HTTP method is not GET (and some other minor restrictions), server A will first send a "preflight" request, which is HTTP OPTIONS, to the remote instance to determine what requests are valid. A server can reply to this with the header Access-Control-Allow-Origin: *, which is a wildcard value denoting it accepts requests from any origin. However, if you want to send credentials along with the request, the originating hostname must be explicitly listed in the response (Access-Control-Allow-Origin: https://serverA.com).
Because NiFi uses an embedded Jetty server to host the API, you may have to explicitly add a CrossOriginFilter as described here.

Related

Spring websocket - client CORS policy error

I am using websockets to communicate between server and client. I followed this documentation to implement websocket dependecy. Now when I try to connect via example client page it produces the following error:
Access to XMLHttpRequest at '....' from origin 'null' has been blocked by CORS policy: The value of the 'Access-Control-Allow-Origin' header in the response must not be the wildcard '*' when the request's credentials mode is 'include'. The credentials mode of requests initiated by the XMLHttpRequest is controlled by the withCredentials attribute.
I have tried adding .setAllowedOrigins("*") to WebSocketConfig but it didn't fix this. What is the solution?
As the error message says you are sending a request with credentials set to include, I guess you are sending some kind of token/access data with your request.
When doing so your server must respond with the correct origin. If you are in development try setting your localhost. For example .setAllowedOrigins("http://localhost:8080") or what ever you are using. In production you need to replace that with your deployment url.
You might find success with .setAllowedOriginsPattern("*").
See the following documentation for more stricter patterns.

Handle cross domain issue in angular 4 with external API

I am using Postal PIN Code API for getting Post Office(s) details search by Postal PIN Code in angular 5 application. Below is the url of the external API :
http://postalpincode.in/api/pincode/{**PINCODE}**
I am issuing a GET request from the application but it is giving me below error :
No 'Access-Control-Allow-Origin' header is present on the requested resource. Origin 'http://localhost:4200' is therefore not allowed access
Although this request is working perfectly fine from browser and postman. I understand that we need to configure our server with cross-domain policies for accepting cross-domain request but this is an external API and I don't have control over it. How can I resolve this issue?
Thanks in Advance !!
Best: CORS header (requires server changes) CORS (Cross-Origin Resource Sharing) is a way for the server to say “I will accept your request, even though you came from a different origin.” This requires cooperation from the server – so if you can’t modify the server (e.g. if you’re using an external API), this approach won’t work.
Modify the server to add the header Access-Control-Allow-Origin: * to enable cross-origin requests from anywhere (or specify a domain instead of *). This should solve your problem.
2nd choice: Proxy Server If you can’t modify the server, you can run your own proxy. And this proxy can return the Access-Control-Allow-Origin header if it’s not at the Same Origin as your page.
Instead of sending API requests to some remote server, you’ll make requests to your proxy, which will forward them to the remote server.
Here are a few proxy options.
Ref: https://daveceddia.com/access-control-allow-origin-cors-errors-in-angular/

No 'Access-Control-Allow-Origin' header is present on the requested resource does not apply to postman

I have implemented a restful service. I have tested it using an ajax request within the application and also with postman client and both worked. But when i try to send an ajax request from a different application i get the below error in browser console.
http://localhost:8080/AusIncomeCalculator/AUSTax/post. Response to preflight request doesn't pass access control check: No 'Access-Control-Allow-Origin' header is present on the requested resource. Origin 'http://localhost:8089' is therefore not allowed access.
I don't understand how the postman client get a successful response while the other applications cannot.
RESTful service is hosted in JBOSS-eap 7.0 with rest easy
What happen is for security reasons, browsers restrict cross-origin HTTP requests initiated from within scripts.Postman is a REST Client that runs as an application inside the Chrome browser. It is specifically designed for testing rest APIs, and therefore it doesn't restrict cross origin resource request.

Invoking JAX-WS web services from remote machine using JQuery and AJAX

I am new to Java SOAP web services. Recently I have created a web service using the JAX-WS specification. This is deployed in the WebLogic server I am using in my machine. Now when I want to invoke the web service from the web application written in JavaScript remote machine on another server, it giving me the following error.
I have also browsed for some other similar kind of posts like this
I am sending the request using JavaScript and SoapClient.js Library.
My invocation code is:
SOAPClient.invoke("http://inhydkvaranasi1:7001/TodoWS/TodoListService",
"getTodos", p1, true, function(data) {
$("#todolist").html('');
if (Object.keys(data).length < 1) {
$("#todolist").html(
"<h4>No Todos Available right now!</h4>");
} else {
Object.keys(data).forEach(
function(key) {
$("#todolist").append(
"<li>" + data[key]["task1"]
+ "(Priority "
+ data[key]["id0"]
+ ") </p>");
});
}
});
The request sent by the XMLHttpRequest() object did not get a response header as Access-Control-Allow-Origin in the XML response.
How could I solve this problem? So that my web service can be used publicly by any user from different domain on different server.
Look at the CORS HTTP headers (from codingpedia.org):
Client side HTTP request headers. These are headers that clients may use when issuing HTTP requests in order to make use of the cross-sharing feature:
Origin: URI indicating the server from which the request initiated. It does not include any path information, but only the
server name
Access-Control-Request-Headers: used when issuing a preflight request to let the server know what HTTP headers will be used when the
actual request is made
Access-Control-Request-Method: used when issuing a preflight request to let the server know what HTTP method will be used when the
actual request is made
Server side HTTP response headers. These are the HTTP headers that the server sends back for access control requests:
Access-Control-Allow-Origin: specifies the authorized domains to make cross-domain request (you should include the domains of your
clients or “*” if you want the resource public and available to
everyone – the latter is not an option if credentials are allowed
during CORS requests)
Access-Control-Expose-Headers: lets a server white list headers that browsers are allowed to access
Access-Control-Max-Age: indicates how long the results of a preflight request can be cached.
Access-Control-Allow-Credentials: indicates if the server allows credentials during CORS requests
Access-Control-Allow-Methods:
indicates the methods allowed when accessing the resource
Access-Control-Allow-Headers: used in response to a preflight request to indicate which HTTP headers can be used when making the
actual request

Pre-flight OPTIONS request failing over HTTPS

A CORS POST request (AJAX) made by my client server (running on Apache # port 443) to my REST server (running on Tomcat # port 8443), fails to trigger when tried over HTTPS.
Please note that all the requests function properly without SSL.
I have already set the withCredentials: true options in the request fields. And my Tomcat server also takes care of the appropriate headers :
response.addHeader("Access-Control-Allow-Origin", "https://localhost");
response.addHeader("Access-Control-Allow-Credentials", "true");
response.addHeader("Access-Control-Allow-Headers", "Content-Type");
response.addHeader("Access-Control-Allow-Methods", "OPTIONS, POST");
I also tried using Curl, but the issue persisted over SSL. However, the Tomcat server responds to all my requests when tried directly over Postman/through the browser.
Could someone tell me what I'm missing out here?
I'm assuming this is an issue with the preflight request. There are two types of CORS requests: simple, and not-so-simple.
The simple kind is either a GET or POST with no custom headers whose content type is "text/plain".
The not-so-simple kind is any request using custom headers, utilising request methods other than POST or GET, and using different content body types. These requests will be "preflighted"; that is the browser will make a preflight request on the clients behalf in order to determine whether or not the server will allow this request. The preflight request uses the OPTIONS method. I'm willing to bet if you use something like Firebug to have a look what's going on you'll see something like this in the Net tab: "OPTIONS activity" with a status of "Aborted".
Unfortunately the preflight request doesn't pass the client certificate to the server which is why your request is failing to trigger. You need to disable two way SSL in order to get it working. In Apache you can try changing the SSLVerifyClient to:
SSLVerifyClient optional
I've used this before in order to get my cross domain AJAX calls working over HTTPS.
Good luck.

Resources